Enable a Wireless Guest Network (Fireware XTM OS v11.9.x and Higher)

To enable a wireless network for guest users, you can configure an access point in the custom zone and use the wireless interface alias when you configure the policies for traffic from wireless clients.

For more information on the custom zone, see Configure a Custom Interface.

To set up an access point on a wireless Firebox or XTM device as a guest network:

 
  1. Select Network > Wireless.
    The Wireless Configuration page appears.

Screen shot of the Wireless configuration page

  1. Select Enable wireless access points.
  2. Adjacent to an access point, click Configure.
    The Access Point Configuration dialog box appears.

Screen shot of the Wireless Guest Network configuration page

  1. Select the Enable Access Point x check box.
    For example, if you selected access point 1, select the Enable Access Point 1 check box.
  2. In the Interface Name (Alias) text box, you can change the alias name of the interface or use the default name.
  3. From the Interface Type drop-down list, select Custom.
  4. In the IP Address text box, type the private IP address to use for the wireless guest network.
    The IP address you specify must not already be in use on one of your network interfaces. 
  5. To configure the device as a DHCP server when a wireless device tries to make a connection, from the drop-down list, select DHCP Server.
  6. Select the Wireless tab.
    The Wireless settings appear with the security settings for the wireless guest network.

Screen shot of the Wireless Guest Network - Wireless tab


  1. To make your wireless guest network name visible to guest users, select the Broadcast SSID and respond to SSID queries check box.
  2. To send a log message each time a wireless computer tries to connect to the guest wireless network, select the Log authentication events check box.
  3. To require wireless users to use the WatchGuard Mobile VPN with IPSec Client , select the Require encrypted Mobile VPN with IPSec connections for wireless clients check box.

When you select this option, the device only allows DHCP, DNS, IKE (UDP port 500), and ESP packets over the wireless network. This can increase the security for wireless clients if you do not select WPA or WPA2 as the wireless authentication method.

  1. In the Network name (SSID)) text box, type a unique name for your wireless guest network or keep the default name.
  2. From the Authentication drop-down list, select the type of authentication to enable for connections to the wireless guest network.
    Select the setting for the type of guest access you want to provide, and whether you want to require your guests to enter a passphrase to use the network.
  3. From the Encryption (Authentication) drop-down list, select the type of encryption to use for the wireless connection.
  4. From the Encryption algorithm drop-down list, select the encryption algorithm to use.
  5. In the Passphrase text box, specify the keys or passphrase required for the type of encryption you select.
    If you select an authentication option that uses pre-shared keys, a random pre-shared key is generated for you. You can use this key or type a new key.
  6. Click Return to Main Page.
  7. Click Save.

You can also configure your wireless guest network as a hotspot. For more information, see Enable a Hotspot.

Another configuration option you can select is to restrict access to the guest network by MAC address.

  1. To enable MAC access control, select the MAC Access Control tab.
  2. Configure the settings as described in Restrict Network Traffic by MAC Address.

Wireless Guest and Traffic Management

You can use Traffic Management on a policy for your wireless networks. This feature enables you to control the amount of bandwidth used by wireless guest networks to prevent wireless guest clients from using too many resources.

For more information on Traffic Management, see About Traffic Management and QoS.

Wireless Guest and Policies

You can use the Custom interface type for your wireless interface. Because a custom interface is not included in the list of built-in aliases, traffic for a custom interface is not allowed through the Firebox or XTM device unless you specifically configure policies to allow it. This is important for wireless guest network security to make sure users cannot access a trusted or optional network.

For wireless guest policies, we recommend that you create a new alias named Any-Guest. You can then use the Any-Guest alias in policies for your wireless guest network.

For more information, see Create an Alias.

See Also

Wireless Device Configuration Options

About Wireless Radio Settings

Configure IPv4 DHCP in Mixed Routing Mode

Enable/Disable SSID Broadcasts

Log Authentication Events

Change the SSID

Change the Fragmentation Threshold

Change the RTS Threshold

Set the Wireless Authentication Method

Set the Encryption Level

Give Us Feedback  •   Get Support  •   All Product Documentation  •   Knowledge Base